Notes from CPNT-250 course at SAIT.
Approach depends on type of incident. Includes:
- reviewing logs
- review relevant files
- identify unauthorized user accounts or groups
- checking the shell history
- identify rogue processes
- checking for rootkits
stat - display file or file system status
- (M)odified time stamp is updated when the content of the file or directiry is written.
- (A)ccessed time stamp is updated when the content of the file or directory is read.
- (C)hanged time stamp is updated when the inode is modified.
- (D)eleted time stamp is updated only when the file is deleted.
FHS is a standard that describes the proper organization and use of the various directories found on Linux systems.
- /bin: essential binaries for all users.
- /boot: files needed for the system bootloader
- /dev: device files
- /etc: system configuration files
- /home: user home directories
- /lib: essential shared libraries and kernel modules
- /media: mount points for removable media (usually automounts)
- /mnt: temporary mount points (usually mounted manually)
- /opt: add-on application packages (outside of system package manager)
- /root: root user’s home directory
- /sbin: system binaries
- /tmp: temporary files
Ownership and Permissions
Ownership refers to the user and/or group that a file or directory belongs to, whereas permissiosn refer to the things these (and other) users can do with or to the file or directory.
File are `hidden’ from normal view by beginning the filename with a dot ‘.’.
In the example above ‘.’ refers to the current directory. ‘..’ refers to the parent directory and ‘…’ refers to an actual directory we just created. This is a sneaky way to hide a directory in plain sight.
In the next example we are hiding a secret in the file named ‘ ‘.
In the next example we alias ls to show control characters. Then we create a filename with a backspace character ‘\b’.
Begin looking for information on user accounts in /etc/passwd. It contains a list of users and the full path to their home directory. The passwords for user accounts are generally stored in the /etc/shadow file.
username : hashed password (deprecated) : user id : group id : comment : home dir : shell
/etc/group file has a format similar to /etc/passwd.
group name : group password hash : group id : csv of group members
/etc/shadow contains the hash user passwords. ‘*’ and ‘!!’ in the password field indicate a daemon account because these are not user accounts and should not need to login. If any daemon accounts have a password field then they should be investigated.
The default shell in most linux distrutions is the Bourne Again Shell (BASH). Commands typed in shell sessions will usually be stored in a file on the users home directory called ‘.bash_history’.
- .bash_profile: stores the commands that are run when the shell is started. Commonly loads in /etc/skel directory.
- .bash_history: audit trail of commands the user has run.
- .bash_logout: set of commands that are run when the shell exists. Look in /etc/skel directory.
- .bashrc: same purpose as .bash_profile.
Most logs are stored in clear text, with a single line per event.
/var/run/utmp: holds information about active system logons.
/var/log/wtmp: stores logon information long term.
lastlog is binary log file that stores the last logon time and remote host for each user on the system.
- /var/log/messages or /var/log/syslog: catch all, non specified logs.
- /var/log/auth.log: user authentication attempts.
- /var/log/audit/audit.log: Auditd/SELinux
- /var/log/boot.log: Boot process logs.
ps - report a snapshot of the current processes.
- -a: all users
- -x: processes not attached to a terminal
- -t: TCP
- -u: UDP
- -l: listening
- -p: list process name
- -n: addresses as numbers
- -a: both listening and non-listening
lsof - list open files
crontab - maintains crontab files for individual users.
- Registry: hierarchical database that contains configuration for the windows system.
- File Metadata: Created, Modified, Accessed times.
- Hibernation File (hiberfil.sys): Sleep data is stored to the hard drive.
- Prefetch Files: Designed to speed up process startup. Found in %SystemRoot%\prefetch.
- Event Logs: lets admins view event logs on local or remote machines.
- Alternate Data Streams: Feature of NTFS to help support HFS. Can be used to store anything. (format: filename:stream)